diff --git a/contrib/apache-eddn.conf b/contrib/apache-eddn.conf
index 62ac7a1..393c8ed 100644
--- a/contrib/apache-eddn.conf
+++ b/contrib/apache-eddn.conf
@@ -151,12 +151,19 @@
 		</LimitExcept>
 	</LocationMatch>
 	<IfModule mod_proxy.c>
+        ####################################
+        # Only uncomment the following if you are setting non-empty
+        # CERT_FILE, and KEY_FILE in the main EDDN config.json
+        ####################################
+        # SSLProxyEngine On
+        # SSLProxyVerify none
+        ####################################
 		ProxyPreserveHost On
 		ProxyRequests Off
 
         <Location "/">
-                # Yes, plain HTTP, as the Gateway process knows nothing of
-                # TLS.
+                # Plain http if setting **empty** CERT_FILE and KEY_FILE in
+                # the EDDN config.json, else https.
                 ProxyPass "http://127.0.0.1:8081/"
         </Location>
 	</IfModule>
diff --git a/docs/Running-this-software.md b/docs/Running-this-software.md
index c1a8195..895e0d5 100644
--- a/docs/Running-this-software.md
+++ b/docs/Running-this-software.md
@@ -523,7 +523,9 @@ proxying:
 
   Internet -> existing server -> VM -> nginx -> EDDN scripts
 
-If using Apache on a Debian server then you need some ProxyPass directives:
+If using Apache on a Debian server then you need some ProxyPass directives.
+These assume you using an empty CERT_FILE and KEY_FILE in the override
+config.json.  See `contrib/apache-eddn.conf` for how to use TLS instead:
 
         <IfModule mod_proxy.c>
                 ProxyPreserveHost On
diff --git a/src/eddn/Gateway.py b/src/eddn/Gateway.py
index 6a8457d..21672d2 100644
--- a/src/eddn/Gateway.py
+++ b/src/eddn/Gateway.py
@@ -445,6 +445,11 @@ def main() -> None:
         'handler_class': EDDNWSGIHandler,
     }
 
+    # Empty CERT_FILE or KEY_FILE means don't put them in
+    if Settings.CERT_FILE != "" and Settings.KEY_FILE != "":
+        argsd["certfile"] = Settings.CERT_FILE
+        argsd["keyfile"] = Settings.KEY_FILE
+
     app.run(
         **argsd
     )
diff --git a/src/eddn/conf/Settings.py b/src/eddn/conf/Settings.py
index e50db4d..e5895c9 100644
--- a/src/eddn/conf/Settings.py
+++ b/src/eddn/conf/Settings.py
@@ -15,6 +15,12 @@ class _Settings(object):
     ###############################################################################
     # Local installation settings
     ###############################################################################
+    # If these are set to non-empty strings then you reverse proxt setup
+    # **MUST** pass TLS through properly, including to a https URL, not a
+    # plain http one.
+    CERT_FILE                               = "/etc/letsencrypt/live/eddn.edcd.io/fullchain.pem"  # noqa: E221
+    KEY_FILE                                = "/etc/letsencrypt/live/eddn.edcd.io/privkey.pem"  # noqa: E221
+
 
     ###############################################################################
     # Relay settings